Safely Inspecting SSL Transactions Using SSL Decryption
20527
Created On 09/26/18 13:39 PM - Last Modified 07/30/20 18:08 PM
Symptom
CERT/CC has recently published a paper "The Security Impact of HTTPS Interception"[1] discussing risks of SSL Inspection. The publication discusses the tradeoffs of using SSL interception. US-CERT has sent Alerts[2][3] highlighting the CERT/CC paper, that customers may have received.
The US-CERT Alert and the CERT/CC paper describes intermediaries intercepting and negotiating insecure SSL/TLS parameters on what would otherwise be a secure connection between the client and the server. This issue is not applicable to the mechanisms used by PAN-OS to decrypt SSL/TLS sessions, given we do not alter the integrity of cryptographic parameters as negotiated by the client and the server.
Environment
- PAN-OS
Resolution
Additional Information
Reference
- https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html
- https://www.us-cert.gov/ncas/alerts/TA17-075A
- https://www.us-cert.gov/ncas/alerts/TA15-120A
Resources
- Internet Gateway Best Practice Security Policy, Decrypt Traffic for Full Visibility and Threat Inspection
- How to Configure an OCSP Responder
- PAN-OS® Administrator’s Guide, Configure SSL Forward Proxy
- PAN-OS® New Features Guide, Perfect Forward Secrecy (PFS) Support
- PAN-OS Web Interface Reference, Device > Certificate Management > Certificates
- How to Implement and Test SSL Decryption
- How to Enable CRL and OCSP from the WebGUI and CLI